SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos
Researchers from SRLabs found that telecos are implementing the RCS standard in vulnerable ways, which bring back techniques to attack phone networks.
by Joseph Cox
Nov 29 2019, 6:00am
Image: Aitor Diago
A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals.
The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move onto more modern protocols for communication, phone network security continues to be an exposed area with multiple avenues for attack in some implementations of RCS.
"I'm surprised that large companies, like Vodafone, introduce a technology that exposes literally hundreds of millions of people, without asking them, without telling them," Karsten Nohl from cybersecurity firm Security Research Labs (SRLabs) told Motherboard in a phone call.
SRLabs researchers Luca Melette and Sina Yazdanmehr will present their RCS findings at the upcoming Black Hat Europe conference in December, and discussed some of their work at security conference DeepSec on Friday.
RCS is a relatively new standard for carrier messaging and includes more features than SMS, such as photos, group chats, and file transfers. Back in 2015, Google announced it would be adopting RCS to move users away from SMS, and that it had acquired a company called Jibe Mobile to help with the transition. RCS essentially runs as an app on your phone that logs into a service with a username and password, Nohl explained.
SRLabs estimated RCS is already implemented by at least 100 mobile operators, with many of the deployments being in Europe. SRLabs said that all the major U.S. carriers—AT&T, T-Mobile, Sprint, and Verizon—were using RCS.
Do you work for AT&T, T-Mobile, Sprint, or Verizon? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
SRLabs didn't find an issue in the RCS standard itself, but rather how it is being implemented by different telecos. Because some of the standard is undefined, there's a good chance companies may deploy it in their own way and make mistakes.
"Everybody seems to get it wrong right now, but in different ways," Nohl said. SRLabs took a sample of SIM cards from a variety of carriers and checked for RCS-related domains, and then looked into particular security issues with each. SRLabs didn't say which issues impacted which particular telecos.
Some of those issues include how devices receive RCS configuration files. In one instance, a server provides the configuration file for the right device by identifying them by their IP address. But because they also use that IP address, "Any app that you install on your phone, even if you give it no permissions whatsoever, it can request this file. So now every app can get your username and password to all your text messages and all your voice calls. That's unexpected," Nohl said.
In another instance, a teleco sends a text message with a six-digit code to verify that the RCS user is who they say they are, but "then give you an unlimited number of tries" to input the code, Nohl said. "One million attempts takes five minutes," he added, meaning that it could be possible to brute force through the authentication process.
"All of these mistakes from the 90s are being reinvented, reintroduced," Nohl said. "It is being rolled out for upwards of a billion people already who are all affected by this."
Verizon did not respond to a request for comment and T-Mobile did not provide a statement in time for publication.
Vodafone said in a statement, "We are aware of the research by SRLabs. We take security very seriously and we have a number of measures in place to protect RCS services. We will review these protections in light of the research and, if required, take any further protective measures."
AT&T and Sprint directed questions to the GSM Association (GSMA), a trade body for network operators.
Claire Cranton, a spokesperson for the GSMA, wrote in an email, "The GSMA is aware of research undertaken by SRLabs into RCS security in which some previously known, but no new, vulnerabilities are reported. The findings highlight issues with some RCS implementations but not every deployment, or the RCS specifications themselves, are impacted."
Cranton said the researchers will present their findings to an expert group at GSMA next week, and that an initial analysis of the research shows there are countermeasures to the uncovered issues.
"We are grateful to the researchers for allowing the industry the opportunity to consider their findings. The GSMA welcomes any research that enhances the security and user confidence of mobile services and encourages all researchers to submit their work to our Coordinated Vulnerability Disclosure (CVD) Programme which enables them to share findings and to contribute to industry’s ongoing work to drive security improvements," Cranton wrote.
Nohl said of the move to RCS, "We find that is actually a step backwards for a lot of networks."
Subscribe to our cybersecurity podcast, CYBER.